Building network automation solutions

6 week online course

It took me even longer than usual to process the feedback from the Choose the Optimal VPN Servicewebinar; all the things happening in May (from having numerous presentations to climbing my hardest route ever) left me mentally and physically exhausted. The webinar was great success and although we’ve covered nine VPN technologies in just over two hours, we’ve managed not to get lost ... and the Q&A session at the end took almost 45 minutes, clearly a good indication that the students were engaged and wanted to understand all the intricate details. Here are two quotes from the participants:

Great session. Enjoyed the compare/contrast approach and feel that this approach gets to the critical issues most quickly.

Bob Dixon

It was good. I can’t wait for the recordings and the configuration examples. I’d like a single session about DMVPN, it has a lot of tricks.

Later someone sent me a message stating that you can match classless IP prefixes with an ip prefix-list... and it took me well over a year to find the time (and mental energy) to lab the scenario and document the results.

During last week’s 3rd Slovenian IPv6 summit (program description in English-resembling form) I had a short presentation on IPv6-related NAT topics. The initial idea was to cover only the technical details of NAT64/DNS64, but as nobody jumped at the opportunity to explain the differences between various NAT-based solutions to the audience, I decided to switch back to my default “big picture” perspective and describe the need for NAT, various NAT-like solutions and as many details about NAT64/DNS64 as my 30-minute slot permitted. Luckily, one of the other presenters was AWOL, so my slot got extended.

In another interesting timing coincidence, the documentation for IOS-XR release 3.9.1 appeared at approximately the same time (probably a little bit later) as I started to research the viability of CGv6 during the preparation for my NAT64/DNS64 presentation.

In another great blog post, Scott Berkun lays out his thoughts on what managers of programming teams should be able to do. You should read the whole article, as most concepts apply equally well to networking teams: if you’re a team leader, you should have decent knowledge of technology and its limitations, if you’re higher up the management chain, it’s more important that you can trust your people, work with them to reach good decisions ... and figure out when they’re bullshitting you.

We (NIL Data Communications) were able to find two ISPs with production-grade dual-stack IPv4/IPv6 service in Slovenia (a country with 2 million people, which puts us somewhere between Manhattan and Queens).

We had great fun listening to Christian Gotare from Ericsson during the 3rd Slovenian IPv6 Summit (program description as translated by Google Translate). He made numerous very strong statements about the (in)abilities of application programmers (watch his presentation ... it starts at approximately 0:42:00) and concluded his presentation with a live demo: he accessed Facebook through IPv6 from a Nokia phone running Symbian.

We all found the idea of an Ericsson guy doing demo with a Nokia phone hilarious and I thought he wanted to demonstrate that even Nokia could get it done ... until one of the Slovenian mobile operators described the problems they’re facing when trying to deploy IPv6 in their mobile network.

John shared a great idea in his comment to my “FTP: a trip down the memory lane” post: when using some FTP servers you can specify the range of passive ports, allowing you to tighten your router ACL (otherwise you’d have to allow inbound connections to all TCP ports above 1024).

A while ago I’ve bitterly complained about the FTP protocol design. I have decades-long grudge with FTP. If you’re old enough to remember configuring firewalls before stateful inspection or reflexive access lists became available, you probably know what I’m talking about; if not, here’s the story.

When enterprises started using the Internet 15+ years ago, most desktop FTP clients did not support passive mode (although it was part of the FTP standard). When configuring “firewalls” (one or two routers with long access lists), you had to allow all inbound TCP session to ports higher than 1024 just to support FTP data sessions. No problem ... unless you were using Sun workstations or NetBIOS over TCP (both of them use dynamic server ports above 1024), in which case those services were totally exposed to the Internet.

As you might imagine, I'm "somewhat" busy working on my IPv6 summit presentation. I wrote this rant a while ago but somehow never managed to publish it.

In a comment to my piracy rant Steve asked how I feel about Safari. In principle, I like anything that brings my books to the readers in a more usable form, and Safari is a perfect idea: virtual bookshelf, searchable books, and temporary access to books you don’t need permanently ... The implementation, however, belongs to the previous century; it’s too easy to write a bot that scrapes the text from HTML and eventually collects the whole book.

However, I was not able to find anything beyond a few fancy videos, a white paper and a brochure. Can anyone shed more light on CGv6? Have you seen it running outside of PowerPoint? When can an IPv6-embracing Service Provider expect to see it on an ASR 1000?

And before you ask ... no, CGv6 is not described in my webinars; I only talk about features (not futures) that I was able to get my hands on.

Arnold sent me an excellent question yesterday; he bought my Deploying Zone-Based Firewalls book, but found no sample configurations using IPSec VPN. I was able to find a few sample configurations on CCO, but none of them included the self zone. The truly interesting bit of the puzzle is the traffic being received or sent by the router (everything else is self-explanatory if you’ve read my book), so those configurations are not of great help.

A few days ago I’ve received a cryptic e-mail with exactly this content: “I am having a issue "static routes not flushed when next hop is unreachable" please advice.” I suspected that the sender actually wanted to ask me what to do if a static route pointing to an IP next-hop does not disappear when the next hop becomes unreachable and told him to adjust the ip route static adjust-time parameter while monitoring the CPU usage.

Whenever you decide to use MPLS/VPN services from a Service Provider, you’re effectively ripping out your network core (including the core routers) and replacing it with the layer-3 SP backbone (the equipment vendors or service providers sometimes fail to mention this fact).

The network core outsourcing usually makes sense from the financial perspective, but also creates a significant lock-in and high switching costs that you should consider in combination with the CapEx/OpEx cost analysis when selecting your VPN service. We’ll discuss the benefits and drawbacks of MPLS/VPN and numerous other VPN technologies in the Choose the Optimum VPN Servicewebinar (register here).

One would hope that the IPv6 myths are slowly fading away as more people get exposed to IPv6 ... but if you like them, don’t worry; they are constantly being recycled. The IPv6: Why Bother?article published by InformIT is a perfect example:

With IPv6, there are enough addresses now that every country or major network can be assigned a large range. It can then assign subranges within that to networks that it connects to, and so on. This hierarchical assignment (in theory, at least) simplifies routing decisions.

Yes, it’s true. It’s absolutely possible to engineer solutions across most cloud services today that meet or exceed the security provided within the walled gardens of your enterprise today.

The realities of that statement come crashing down, however, when people confuse possibility with the capability to execute whilst not disrupting the business and not requiring wholesale re-architecture of applications, security, privacy, operations, compliance, economics, organization, culture and governance.

The author

Ivan Pepelnjak (CCIE#1354 Emeritus), Independent Network Architect at ipSpace.net, has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced internetworking technologies since 1990.